Threat actors are actively exploiting a critical unauthenticated remote takeover vulnerability in Oracle E-Business Suite (EBS), tracked as CVE-2026-46817, with live attack activity captured on honeypot infrastructure over the weekend of June 27–28, 2026. The exploitation was first observed at scale just days after Oracle issued its patch, suggesting that attackers moved rapidly to weaponize the flaw.
What Is CVE-2026-46817?
CVE-2026-46817 is a critical-severity vulnerability residing in the Oracle Payments product within Oracle E-Business Suite, specifically in the File Transmission component. It carries a CVSS 3.1 base score of 9.8 — the highest possible range — and allows an unauthenticated attacker with network access via HTTP to fully compromise Oracle Payments, leading to complete takeover of confidentiality, integrity, and availability of the affected system.
Affected versions span Oracle E-Business Suite 12.2.3 through 12.2.15. The CVSS vector reflects the low attack complexity and zero authentication requirement, making this flaw trivially exploitable at scale across internet-facing deployments.
Active Exploitation Confirmed
The first known in-the-wild exploitation was detected on Oracle E-Business Suite honeypots during the weekend of June 27–28, 2026. No public proof-of-concept (PoC) code exists, indicating that the threat actor may be operating with privately developed exploit capabilities.
Attack traffic captured on Defused honeypots revealed targeted POST requests to /OA_HTML/ibytransmit, the Oracle iPayment file transmission endpoint. The attacker IP 45.84.137.125, operating through AS136787 PacketHub S.A. (France), targeted port 443 and submitted a crafted XML DeliveryRequest payload.
The payload contained a CODEX_PULL transmission scheme, with the FULL_FILE_PATH parameter set to /etc/passwd — a classic indicator of a local file read/path traversal exploitation chain designed to exfiltrate sensitive system files from the underlying OS.
Scale of Attack Activity
According to Shadowserver, there were a combined 456 hits on June 28 across all monitored regions. North America absorbed the largest share with 193 hits, followed by Asia with 181, Europe with 53, South America with 18, Africa with 9, and Oceania with 2. The geographic spread indicates broad, opportunistic scanning rather than a targeted campaign, consistent with an actor automating exploitation against any reachable Oracle EBS instance.
Patch Timeline and Remediation
Oracle addressed CVE-2026-46817 in its May 2026 Critical Security Patch Update (CSPU), released on May 28, 2026. The update addressed 35 unique CVEs across multiple Oracle product families, with 11 classified as critical. A supplementary June 2026 CSPU was released on June 16, 2026, reinforcing Oracle’s advisory posture.
The gap between the patch release (May 28) and active exploitation (late June 2026) is approximately four weeks — a timeline consistent with attackers reverse-engineering patches to develop private exploits. The absence of any public PoC code makes the private exploit tooling particularly concerning.
Indicators of Compromise
Organizations should hunt for the following in their logs and network telemetry:
- Attacker IP: 45.84.137.125 (AS136787 PacketHub S.A., France)
- URL Path targeted: /OA_HTML/ibytransmit
- User-Agent string: ibytransmit-lab-poc/1.0
- Transmission Scheme: CODEX_PULL_* values in exploit payloads
- File target in payload: /etc/passwd in FULL_FILE_PATH parameter
Recommended Immediate Actions
Organizations running Oracle E-Business Suite should act without delay:
- Apply the May 2026 CSPU patch for EBS versions 12.2.3 through 12.2.15 immediately.
- Block or restrict public internet access to Oracle EBS interfaces, particularly the /OA_HTML/ path.
- Audit web server and proxy logs for POST requests to /OA_HTML/ibytransmit with unusual XML payloads.
- Threat hunt for attacker IP 45.84.137.125 and the User-Agent ibytransmit-lab-poc/1.0 across firewall and SIEM telemetry.
- Conduct a compromise assessment if patching was delayed beyond May 28, 2026, as any unpatched system exposed to the internet must be treated as potentially breached.
Given the confirmed emergence of private exploit tooling and the lack of public PoC code, unpatched Oracle EBS deployments remain at severe risk. The active exploitation — spanning hundreds of attack attempts across multiple continents in a single day — underscores the urgency of immediate remediation.